IETF Logo Mail Archive

Re: [radext] draft-cullen-radextra-status-realm-00

Alan DeKok <aland@deployingradius.com> Mon, 24 April 2023 20:02 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F394AC151B3B for <radext@ietfa.amsl.com>; Mon, 24 Apr 2023 13:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNzQg2Wchuzf for <radext@ietfa.amsl.com>; Mon, 24 Apr 2023 13:02:07 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDF85C151B2E for <radext@ietf.org>; Mon, 24 Apr 2023 13:02:06 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 593D82FF; Mon, 24 Apr 2023 20:01:58 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CANsiXEK56aVwtjGqrLYsq-syC=zrHVqNzgKV7_gkkZXAkQhQ=w@mail.gmail.com>
Date: Mon, 24 Apr 2023 16:01:56 -0400
Cc: radext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <DA1886A1-7295-445F-BA46-A342CBECC9DC@deployingradius.com>
References: <CANsiXEK56aVwtjGqrLYsq-syC=zrHVqNzgKV7_gkkZXAkQhQ=w@mail.gmail.com>
To: Terry Burton <tez=40terryburton.co.uk@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/bSnjvbpQvtPChUdv-dCOXVlYH5A>
Subject: Re: [radext] draft-cullen-radextra-status-realm-00
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2023 20:02:09 -0000

On Mar 28, 2023, at 6:34 AM, Terry Burton <tez=40terryburton.co.uk@dmarc.ietf.org> wrote:
> Regarding draft-cullen-radextra-status-realm-00.
> 
> 
> Section 4.2: "When a RADIUS Proxy receives a RADIUS Request packet, it
> checks to see if the Request contains a Server-Identifier attribute
> indicating that it has already processed this packet. If so, it
> discards the packet. If not, it adds its own Server Identifier to the
> packet before forwarding it."
> 
> Should consideration be given to MTU constraints that may be
> encountered by increasing the hop-by-hop packet size?

  It's worth mentioning.  But at 4K max packet sizes and maybe 64 bytes for Server-Identifier, we'll go through a large number of proxies before we run out of packet.

> Section 6: "If the Max-Hop-Count attribute is present and the value is
> zero, the Request MUST NOT be forwarded and an error response SHOULD
> be returned, as appropriate to the request type."
> 
> May be beneficial to define the appropriate behaviour for each request type:

  I'd suggest that Max-Hop-Count MUST NOT appear in any packet other that Status-Realm-Request.  We haven't needed it so far for Access-Request etc.  So I think it's worth leaving those alone.
> Section 7:
> 
> Status-Realm-Response-Code table needs work:
> 
>  - 256 is missing.
>  - Is there an intended difference between 3 and 259?
>  - 260 has multiple definitions.
> 
> Assuming that 5-255 means temporary reachability issue and 260-511
> means "internal error" (may or may not be reachable), i.e. differing
> semantics rather than extension of the same range.

  OK.

> Is the intent to allow automation on the basis of the Status-Realm, or
> only to support administration?

  Ideally both?  But it's difficult to define automation.  i.e. current systems handle fail-over, etc. somewhat automatically.  How would a system leverage Status-Realm in order to improve those decisions?

  Note that Status-Realm is "end to end", while proxy fail-over, etc. is "hop by hop".  So there's a natural boundary here.

> If the former, to avoid ossification it may be worth splitting the
> values into ranges against which one might associate differing
> behaviours, e.g. Temporary path faults (e.g. "definately
> unreachable"), temporary configuration faults (e.g. "unable to
> dynamically look up a realm"), permanent configuration "faults"
> (invalid realm / prohibited realm), unexpected errors. New definitions
> can be added to the appropriate range.

  Sure.  Error-Cause does something similar.

> Are there recommended policy behaviours for "realm unreachable",
> "status unknown" and "reserved"?

  It's worth mentioning.

  Alan DeKok.

v2.34.0 | Report a Bug | By Email | System Status